The Government Must Save Our Children from Apple!

Editors Note: This morning I awoke in my well-secured hotel room to find a sticky note on my laptop that said, “The Securosis site is now under my control. Do not attempt to remove me our you will suffer my wrath. Best regards, The Macalope.”

Oh, wait, that’s not the title! Ha-ha! That would be silly! What with it being so overly frank.

No, the title is “It’s time for the FTC to investigate Mac security”.

You might be confused about the clumsy phrasing because the FTC, of course, doesn’t investigate computer security, it investigates the veracity of advertising claims. What Winkler believes the FTC should investigate is whether Apple is violating trade laws by claiming in its commercials that Macs are less affected by viruses than Windows.

Apple gives people the false impression that they don’t have to worry about security if they use a Mac.

Really? The ads don’t say Macs are invulnerable. They say that Macs don’t have the same problem with exploits that Windows has. And it’s been the Macalope’s experience that people get that. The switchers he’s come into contact with seem to know exactly the score: more people use Windows so malicious coders have, to date, almost exclusively targeted Windows.

Some people – many of them security professionals like WInkler – find this simple fact unfair. Sadly, life isn’t fair.

Well, “sadly” for Windows users. Not so much for Mac users. We’re kind of enjoying it.

And perhaps because the company is invested in fostering that impression, Apple is grossly negligent in fixing problems. The proof-of-concept code in this case is proof that Apple has not provided a fix for a vulnerability that was identified six months ago. There is no excuse for that.

OK, let’s set the story straight here because Winkler’s version reads like something from alt.microsoft.fanfic.net. The document in question was a minor technical note created in June of 2007 that got updated in December. The company did not “recant” the statement, it pulled the note after it got picked up by the BBC, the Washington Post and CNet as some kind of shocking double-faced technology industry scandal.

By the way, did you know that Apple also markets Macs as easier to use, yet continues to sell books on how to use Macs in its stores? It’s true! But if it’s so easy to use, why all the books, Apple? Why? All? The? Books?

A ZDNet summary of 2007 vulnerabilities showed that there were five times more vulnerabilities for Mac OS than for all types of Windows PC operating systems.

No citation, but the Macalope knows what he’s talking about. He’s talking about this summary by George Ou. George loved to drag these stats out because they always made Apple look worse than Microsoft. But he neglected to mention the many problems with this comparison, most importantly that Secunia, the source of the data, expressly counseled against using it to compare the relative security of the products listed because they’re tracked differently.

But buy Winkler’s book! The Macalope’s sure the rigor of the research in them is better than in this piece!

How can Apple get away with this blatant disregard for security?

How can Computerworld get away with printing unsourced accusations that were debunked a year and a half ago?

Its advertising claims seem comparable to an automobile manufacturer implying that its cars are completely safe and its competitors’ cars are death traps, when we all know that all cars are inherently unsafe.

That’s a really lousy analogy. But to work with it, it’s not that Apple’s saying its car is safer, it’s saying the roads in Macland are safer. Get out of that heavy city traffic and into the countryside.

The mainstream press really doesn’t cover Mac vulnerabilities…

The real mainstream press doesn’t cover vulnerabilities for any operating system. It covers attacks (even lame Mac attacks). The technology press, on the other hand, loves to cover Mac vulnerabilities, despite Winkler’s claim to the contrary, even though exploits of those vulnerabilities have never amounted to much.

When I made a TV appearance to talk about the Conficker worm, I mentioned that there were five new Mac vulnerabilities announced the day before. Several people e-mailed the station to say that I was lying, since they had never heard of Macs having any problems. (By the way, the technical press isn’t much better in covering Mac vulnerabilities.)

So, let’s get this straight. Winkler gets on TV and talks up Mac vulnerabilities in a segment about a Windows attack. But because he got five mean emails, the story we’re supposed to get is about how the coverage is all pro-Apple? Were the five emails from TV news anchors or something?

And just to be clear, it is not that Apple’s software has security vulnerabilities that is the problem; all commercial software does. The problem is that Apple is grossly misleading people to believe otherwise.

Wow, there is an awful lot of loose talk about how badly Apple is misleading the public with its wild claims. It’s somewhat surprising that Winkler doesn’t get around to actually quoting any of those very dangerous claims that the FTC should immediately investigate.

The Macalope thought about going back and pulling the quotes from the commercials and showing how all they actually do is say the Mac simply doesn’t have the virus problems Windows does (true!), but then he thought, hey, Winkler’s the one making the accusations. Why shouldn’t he be forced to back them up?

But buy Winkler’s book! The Macalope’s sure it’s awesome.

Winkler’s right that all commercial software has vulnerabilities. And Vista actually better implements technologies designed to make writing exploits harder. He’s also right that there’s been much to criticize Apple about over security. But the mildly honest parts of Winkler’s piece conflate vulnerabilities and exploits in an effort to make the Mac look worse and the dishonest parts are just utter fabrications (e.g. Macs are “frequently” hit by viruses).

An FTC investigation? That’s just standing on the diving board and jumping up and down yelling “Look at me! Look at me! Hey, everyone, look what I can do!”

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By LKM on 05/28 at 04:04 PM

Actually, many car manufacturers (VW, for example) do advertise the safety of their cars. The fact that driving is inherently dangerous does not mean that you’re equally secure in all cars. Same with computers. All computers which are connected to a network or accessible by untrusted people are inherently exploitable, but the probability of one’s computer getting exploited is not the same for all computers.

By Daniel on 05/28 at 04:23 PM

Would a better analogy be a small town advertising that the chance of your house getting broken into is far lower if you move to small town X than if you live in big city Y? Yes, big city Y has far better policing, and spends far more money on anti-burglary patrols, and yes, the night police force in small town X was just caught sleeping on the job, and yes, there isn’t even a local burglar alarm monitoring company in small town X—but despite the far higher security in big city Y, one is still far less likely to experience a break-in in small town X, and this isn’t an irresponsible claim on the part of those encouraging people to move to small town X?

By Rbo on 05/28 at 04:33 PM

I’d take the “Macland” metaphor a bit farther: if somebody is selling a house in the country and claims that the house is safer than a cheap ground-floor apartment in a run-down area of the city, should the FTC investigate them? Even if they don’t have bars on the windows or three locks on the doors?

And how far would a “crime expert” get with their book by ignoring the fact that such apartments get broken into regularly, while a house in the country will be robbed on average once a century?

By Glenn Fleishman on 05/28 at 04:49 PM

I miss George Ou. No, wait, I don’t. I just miss his profanity-filled emails to me.

By Steven Fisher on 05/28 at 05:18 PM

Macalope, when are you going to put out a book? That one I’d buy.

(Aside: One day, I hope we find out who the Macalope really is. Not any time soon, just one day. Because he rocks.)

By Indiana61 on 05/29 at 05:27 AM

@Steven Fisher

(Aside: One day, I hope we find out who the Macalope really is. Not any time soon, just one day. Because he rocks.)

One day not too long ago the Macalope made a mistake and posted one of his rants under his real name at Macworld. He is a fellow correspondant that writes for Macworld also.

But because I love both your works I will keep your secret  !!

By Steven Fisher on 05/29 at 07:03 PM

@Indiana61
I don’t really want to know right now anyway. As long as he’s writing and for several years after, I’m content to be staring at antlers. :)

By Eye Forget on 06/03 at 11:48 AM

Yawn.

As a totally irresponsible surfer, I understand malware and viruses. I’ve had win boxes (job) and have had Macs since ‘84.

Figure an average of a virus per day in win land. Some which got by Norton and caused whatever havoc they cause.

Sorry, can’t recall a single Mac malware or virus in 25 years of use. Of course they download occasionally and I get Apple’s little note about “hey, this is an exe file”. I go back to the support person’s comment, “Now pick it up and throw it out the window. You’re too stupid to use a computer.”

Oh, backups. Don’t recall ever being able to a clone a win disk. 2 days to reload win. 1/2 hour while I pour an espresso to reload a Mac.

Yawn.

By Dan Shockley on 06/06 at 02:06 AM

Actually, this dopey piece was also carried by Macworld.com. It was pretty horrifying to see see a blatantly inaccurate hit piece being carried by them.